Tuesday, November 14, 2017

Firefox - settings cookie via DOMParser

Firefox < 57 - settings cookie via DOMParser

While doing some research I discovered a interesting behavior in Firefox.
The following JavaScript code stores a XHTML document as a string in the meta variable.
Afterwards the variable is parsed via the DOMParser interface, which returns a valid XMLDocument:

While parsing the defined XHTML structure, Firefox parses the meta tag and sets the cookie pppt=qqq. You would assume the cookie would be solely in the context of the XHTML document but I discovered that it is actually set on the domain executing the PoC.

This means, in case a website eg. example.com is parsing an user controlled string via DOMParser, it is possible to set cookies for example.com. It must be noted that this behavior is only present for xml/xhtml context inside parseFromString, text/html does not suffer from this vulnerability.

So - is that really interesting??? Yeah, lets set cookies via a PDF!

I actually discovered this vulnerability while I had a look at the implementation of PDF.js.
Lets have a look:

Some background information: The PDF standard defines two ways to define metadata of a document. As the old way was limited in the amount of info an author could add, another metadata object was added, which is an XML structure. PDF.js is parsing this XML structure to extract the information. This is done by passing the structure to the DOMParser, therefore being vulnerable to the cookie vulnerable described above.

I reported this vulnerability to Mozilla as well as to the PDF.js team. PDF.js decided to drop the call to DOMParser as it was an overkill and switched to SimpleXML parser to parse the metadata structure. Firefox Nightly was already patched and it finally landed in Firefox stable.

The following example PDF is demonstrating this behavior. I modified an example PDF published by corkami: